Since payments to false vendors carries such potential for material loss, the auditor
is concerned about the integrity of the valid vendor file. By gaining access to the file, a
computer criminal can place his or her name on it and masquerade as an authorized
vendor. The auditor should therefore assess the adequacy of access controls protecting
the file. These include password controls, restricting access to authorized managers, and
using data encryption to prevent the file contents from being read or changed.
As discussed in previous chapters, computer access controls are both system-wide
and application-specific. Access control includes controlling access to the operating systems,
the networks, and the databases with which all applications interact. The auditors
will typically test these controls as part of their review of general controls.